We are anonymous, we are legion

Mixed signals? Supreme Court notices to states on Facebook arrests

praskrishna — 2013-08-28T08:42:56Z

In wake of the recent arrests of UP-based scholar Kanwal Bharti and Andhra-based PUCL activist Jaya Vindhyala over their Facebook posts, NDTV aired a discussion on the grey areas of the IT Act. Pranesh Prakash, Shreya Singhal and Faizal Farooqui

The video was published by NDTV on August 16, 2013. Pranesh Prakash is quoted.

The NDTV anchor asked Pranesh that this notice — the indicator coming from the government is that nobody seems to really know what section 66A is all about...and at the end of the day we are going to make a case by case decision.

Pranesh said that:

"This not just about 66A. This is actually about rule of law. We see that the arrest of Kanwal Bharti is actually a legal arrest. It goes against a judgment of the Allahabad High Court saying that routine arrests shouldn't be made in cases where the imprisonment term is less than 7 years. He actually hasn't been charged under 66A, he was charged under the IPC. It is not just about Internet censorship. It also very much about the rule of law and that completely breaking down in India and ... people's persectives and government's perspectives many times are withering away when it comes offensive content or what they deem offensive or communal content being posted online...and if something like what Kanwal Bharti posted is actually deemed to be illegal under those provisions then lots of statements that the Prime Minister of India has said should also be deemed to be equally illegal."

Watch the full video below:

For more details visit https://cis-india.org/news/ndtv-the-social-network-mixed-signals-supreme-court-notices-to-states-on-facebook-arrests

India's Internet Privacy Woes

praskrishna — 2013-09-05T11:09:30Z

“For the sake of national security and to protect the privacy of its citizens, India should develop its own social media platforms,” says Dr Kamlesh Bajaj, CEO of Data Security Council of India (DSCI), a Nasscom-promoted ‘self-regulatory’ organisation on data protection and privacy in India, in a blog post dated August 13.

This article by Rohin Dharmakumar was published in Forbes India on August 26, 2013. Pranesh Prakash is quoted.

Citing a litany of woes, including American control over internet infrastructure, Bajaj makes the case for India to take a leaf out of China’s playbook (“even though its reasons were different”) and encourages the creation of “Indian” social media sites and search engines.

“Unfortunately, Dr Bajaj provides a wrong solution to a correct diagnosis,” says Pranesh Prakash, a policy director with the Centre for Internet and Society. “First, I can’t think of any governmental intervention—short of a ban on existing foreign services—that can make a new Indian service successful. Second, India’s privacy laws are worse than those in the US. Nothing will stop the US and Indian governments from coming after this company too.”

The problem arises because services like Facebook and Google store all your data unencrypted on their servers, making it easy for them, or governments and hackers, to monitor everything you do. The correct solution, says Prakash, would be to encourage the creation and use of de-centralised and end-to-end encrypted services that do not store all your data in one place.

For more details visit https://cis-india.org/news/forbesindia-august-26-2013-india-internet-privacy-woes

Election campaign: parties draw battle lines on media platforms

praskrishna — 2013-09-05T10:23:41Z

In the run-up to the 2014 polls, parties are drawing up media strategies that have a focus on young voters.

This article by Venkatesh Upadhyay was published in Livemint on August 26, 2013. Sunil Abraham is quoted.

Major national political parties have begun to sharpen and tweak their tools of public relations and media engagement in the run-up to the 2014 general election, with an eager nod towards a voters list that is expected to be packed by the young.

National parties currently in the process of shortlisting their advertising, public relations and mobile marketing agencies declined to share details.

“The advertising strategy will crystalize by January. We will go for multiple agencies,” said Manish Tewari, spokesperson for the Congress as well as minister for information and broadcasting.

According to people familiar with the selection process, JWT, Crayons Communications and Dentsu India, among others, are all in the race for the Congress business. Home-grown Crayons has worked closely with the Delhi government and Congress in the past.

Refusing to confirm the names on the shortlist, Tewari said it was a line-up of the “usual suspects”.

For social media, the Congress has engaged Delhi-based OMLogic, an online media marketing company, which helped create the website fekuexpress.com that seeks to highlight the supposedly braggart nature of the opposition Bharatiya Janata Party’s chief campaigner Narendra Modi.

The website ran contests in which winners received film tickets. OMLogic was among three shortlisted agencies from 22 that competed for the same account, a person familiar with the bid said. According to others aware of the developments, senior Congress leaders such as Digvijay Singh and Deepender Singh Hooda helped select the agencies.

OMLogic helps clients enhance their brands across platforms and creates social media applications for them. The company declined to comment for this story.

“I believe these elections will represent the first time that political parties will have a conscious media strategy,” said Sanjaya Baru, communications advisor to Prime Minister Manmohan Singh from 2004 to 2008.

	“By conscious I mean that political parties have acknowledged the role of mass media in getting their message across to voters. TV has taken the space of political rallies.” Baru said the media strategy for the coming elections was essentially focused on TV and social media as “both these platforms allow parties to reach out to large parts of the urban and semi-urban demographic”. Close to 60 million new voters have been enrolled for the 2014 election, of whom 17.6 million are 18-19 year-old first-timers. A study by the Iris Knowledge Foundation and Internet and Mobile Association of India (IAMAI) estimates the number of urban social media users to be around 78 million. The main users were in the age groups of 18-24 and 25-34 years.

“By conscious I mean that political parties have acknowledged the role of mass media in getting their message across to voters. TV has taken the space of political rallies.”

Baru said the media strategy for the coming elections was essentially focused on TV and social media as “both these platforms allow parties to reach out to large parts of the urban and semi-urban demographic”.

Close to 60 million new voters have been enrolled for the 2014 election, of whom 17.6 million are 18-19 year-old first-timers. A study by the Iris Knowledge Foundation and Internet and Mobile Association of India (IAMAI) estimates the number of urban social media users to be around 78 million. The main users were in the age groups of 18-24 and 25-34 years.

The Congress has already highlighted the role of social media in its communication strategy. The party held a special session on the use of social media by party members on 22 August that was addressed by minister of state for human resources Shashi Tharoor, and Manish Tewari. In a similar meeting last month, party members were briefed on how to comment on key issues, including the state of the economy, and personalities like Modi, who is also Gujarat chief minister.

It also launched an intranet software called Khidki (Hindi for window) for use by Congress members. According to party politicians, another important part of last month’s exercise was to identify young members who would make up a cadre of spokespersons that would then participate across news channels.

The BJP, meanwhile, has drafted Internet entrepreneurs B.G. Mahesh and Rajesh Jain to help the party with its social media operations. Acknowledging the role of social media in the party’s media strategy, BJP spokesperson Nirmala Seetharaman said, “Our exercise has already taken on board the position which the party enjoys on various social media. We only emphasized the content that such media ought to have,” she added.

Prominent members of the party, led by Modi, have large followings on social media. Modi’s Twitter account is followed by close to 2.1 million people.

Last week, the BJP launched india272.com that would “crowd source” suggestions by the electorate. It also launched a website where its members can upload “chargesheets” on the Congress-led United Progressive Alliance. Visitors to www.bjp.org/upachargesheet can also make use of different social media platforms such as Facebook, Twitter, YouTube and Flickr to register their complaints.

Some Internet activists are sceptical about such strategies. “The average Indian netizen is not that well equipped to critically analyse the content coming from so-called crowdsourced mechanisms,” said Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based Internet policy research organization. “I believe that social media might be one step removed from actual voters and might be more oriented towards opinion makers. In that sense social media (in India) behaves very differently from the way it has been used in the US.”

According to an online media expert familiar with the BJP’s social media campaign, the interactive nature of social media helps build up an image of transparency while making the party more accessible to a young audience that has been switching off television news.

In addition, social media allows political leaders to gauge public response quickly.

Ajay Maken, Congress general secretary and the man who heads the party’s communication strategy, pointed out in an article published this month that subjects that become influential on Twitter during the day tend to turn into full-fledged TV debates by the evening.

But political parties are not giving up on television channels just yet.

According to a report by consulting firm KPMG, the number of Indian households with TV sets is estimated to be 154 million, and is expected to grow to 173 million by 2017. TAM Media research estimated the number of TV households to be 123 million in 2009. Meanwhile, cable- and satellite-owning TV households has in the period 2009-2012 ballooned from 90 million to 126 million, according to TAM.

The Congress has issued guidelines to its members on how to behave on television. According to individuals familiar with the move, the party has also set up a research cell that informs Congress spokespersons about subjects that they are asked to speak on.

Congress members who participate in televised debates have been given strict orders to not go on air without a thorough understanding of the nuances of issues—provided to them by Congress researchers. For instance, spokespersons have been advised to rely on facts and be data-specific when confronted with the twin issues of Gujarat’s high-growth economy and Modi’s governance record.

In order to streamline the process, the party has come up with lists of speakers who are focused on specific issues. It has also constituted media cells in each state capitals with three units—spokespersons, social media cell and research —and a social media division for every urban centre with a population of at least a million.

The BJP has devised a similar strategy. Party spokespersons have been asked to mention chief ministers other than Modi if asked about the leadership for the 2014 elections. Arun Jaitley, in a interview to The Hindu, on 19 August had spoken about the possibility of there being close to 10 prime ministerial candidates in the BJP.

The BJP, which held a closed-door media workshop for party members last week, is also keen on research. “A lot of policy requires specialized understanding which is largely domain-specific. In that regard, members of our party will need to be prepared when they speak on such issues,” said spokesperson Seetharaman.

The Congress has already begun a television ads-blitzkrieg to trumpet its record in government. Begun in May, these ads have sought to showcase the fruits of the welfare state, including schemes aimed at the poor, such as theMahatma Gandhi National Rural Employment Guarantee Act, as well a long list of rights-based laws. One well-known ad tells the story of a fictional young woman named Priya who lives in a village but makes use of opportunities in education and improved electricity connections to become a successful entrepreneur.

For more details visit https://cis-india.org/news/livemint-august-26-2013-venkatesh-upadhyay-election-campaign

Out of the Bedroom

nishant — 2013-09-06T08:32:58Z

We have shared it with our friends. We have watched it with our lovers. We have discussed it with our children and talked about it with our partners. It is in our bedrooms, hidden in sock drawers. It is in our laptops, in a folder marked "Miscellaneous". It is in our cellphones and tablets, protected under passwords. It is the biggest reason why people have learned to clean their browsing history and cookies from their browsers.

The article by Nishant Shah was published in the Indian Express on August 25, 2013.

Whether we go into surreptitious shops to buy unmarked CDs or trawl through Torrent and user-generated content sites in the quest of a video, there is no denying the fact that it has become a part of our multimedia life. Even in countries like India, where consumption and distribution of pornography are punished by law, we know that pornography is rampant. With the rise of the digital technologies of easy copy and sharing, and the internet which facilitates amateur production and anonymous distribution, pornography has escaped the industrial market and become one of the most intimate and commonplace practices of the online world.

In fact, if Google trend results are to be believed, Indians are among the top 10 nationalities searching for pornography daily. Even a quick look at our internet history tells us that it has all been about porn. The morphed pictures of a naked Pooja Bhatt adorned the covers of Stardust in the late 1990s, warning us that the true potential of Photoshop had been realised. The extraordinary sensation of the Delhi Public School MMS case which captured two underage youngsters in a grainy sexcapade announced the arrival of user-generated porn in a big way. The demise of Savita Bhabhi — India's first pornographic graphic novel — is still recent enough for us to remember that the history of the internet in India is book-ended by porn and censorship.

Recent discussions on pornography have been catalysed by a public interest litigation requesting for a ban on internet pornography filed in April by Kamlesh Vaswani. Whether Vaswani's observations on what porn can make us do stem from his own personal epiphany or his self-appointed role as our moral compass is a discussion that merits its own special space. Similarly, a debate on the role, function, and use of pornography in a society is complex, rich and not for today.

Instead, I want to focus on the pre-Web imagination of porn that Vaswani and his endorsers are trying to impose upon the rest of us. There is a common misunderstanding that all porn is the same porn, no matter what the format, medium and aesthetics of representations. Or in other words, a homogenising presumption is that erotic fiction and fantasies, pictures of naked people in a magazine, adult films produced by entertainment houses, and user-generated videos on the internet are the same kind of porn. However, as historical legal debates and public discussions have shown us, what constitutes porn is specific to the technologies that produce it. There was a time when DH Lawrence's iconic novel now taught in undergraduate university courses — Lady Chatterley's Lover — was deemed pornographic and banned in India. In more recent times, the nation was in uproar at the Choli ke peeche song from Khalnayak which eventually won awards for its lyrics and choreography.

In all the controversy, there has so far been a "broadcast imagination" of how pornography gets produced, consumed and distributed. There is a very distinct separation of us versus them when it comes to pornography. They produce porn. They distribute porn. They push porn down our throats (that was probably a poor choice of words) by spamming us and buying Google adwords to infect our search results. We consume porn. And all we need to do is go and regulate, like we do with Bollywood, the central management and distribution mechanism so that the flow of pornography can be curbed. This is what I call a broadcast way of thinking, where the roles of the performers, producers, consumers and distributors of pornography are all distinct and can be regulated.

However, within the murky spaces of the World Wide Web, the scenario is quite different. Internet pornography is not the same as availability of pornography on the internet. True, the digital multimedia space of sharing and peer-2-peer distribution has made the internet the largest gateway to accessing pornographic objects which are produced through commercial production houses. However, the internet is not merely a way of getting access to existing older forms of porn. The internet also produces pornography that is new, strange, unprecedented and is an essential part of the everyday experience of being digitally connected and networked into sociality.

The recent controversies about the former congressman from New York, Anthony Weiner, sexting — sending inappropriate sexual messages through his cellphone — gives us some idea of what internet porn looks like. It is not just something captured on a phone-cam but interactive and collaboratively produced. Or as our own Porngate, where two cabinet ministers of the Karnataka legislative assembly were caught surfing some good old porn on their mobile devices while the legislature was in session, indicated, porn is not something confined to the privacy of our rooms. Naked flashmobs, young people experimenting with sexual identities in public, and sometimes bizarre videos of a bus-ride where the camera merely captures the banal and the everyday through a "pornographic gaze" are also a part of the digital porn landscape. The world of virtual reality and multiple online role-playing games offer simulated sexual experiences that allow for human, humanoid, and non-human avatars to engage in sexual activities in digital spaces. Peer-2-peer video chat platforms like Chatroulette, offer random encounters of the naked kind, where nothing is recorded but almost everything can be seen.

The list of pornography produced by the internet — as opposed to pornography made accessible through the internet — is huge. It doesn't just hide in subcultural practices but resides on popular video-sharing sites like YouTube or Tumblr blogs. It vibrates in our cellphones as we connect to people far away from us, and pulsates on the glowing screens of our tablets as we get glimpses of random strangers and their intimate bodies and moments. An attempt to ban and censor this porn is going to be futile because it does not necessarily take the shape of a full narrative text which can be examined by others to judge its moral content. Any petition that tries to censor such activities is going to fall flat on its face because it fails to recognise that sexual expression, engagement and experimentation is a part of being human — and the ubiquitous presence of digital technologies in our life is going to make the internet a fair playground for activities which might seem pornographic in nature. In fact, trying to restrict and censor them, will only make our task of identifying harmful pornography — porn that involves minors, or hate speech or extreme acts of violence — so much more difficult because it will be pushed into the underbelly of the internet which is much larger than the searched and indexed World Wide Web.

Trying to suggest that internet pornography is an appendage which can be surgically removed from everyday cyberspace is to not understand the integral part that pornography and sexual interactions play in the development and the unfolding of the internet. The more fruitful efforts would be to try and perhaps create a guideline that helps promote healthy sexual interaction and alerts us to undesirable sexual expressions which reinforce misogyny, violence, hate speech and non-consensual invasions of bodies and privacy. This blanket ban on trying to sweep all internet porn under a carpet is not going to work — it will just show up as a big bump, in places we had not foreseen.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-august-25-2013-nishant-shah-out-of-the-bedroom

Dear Milind Deora, Prakash Javadekar Deserved The Truth

praskrishna — 2013-09-05T10:38:05Z

Milind Deora, the Minister of State for Communications, Information Technology and Shipping, isn’t your typical politician.

This article by Rohin Dharmakumar was published in Forbesindia Magazine on August 22, 2013. Sunil Abraham is quoted.

At just 36, he’s way younger than the average cabinet minister (64) or Member of Parliament (53). He’s also richer (Rs.17.5 crore compared to Rs.5.3 crore for the average M.P.)

He’s got his own website - www.milinddeora.in - which unlike most of his peer’s websites, is fairly well-designed and constantly updated. He’s also an avid user of social networks like Twitter (@milinddeora) and Facebook.

Oh, he’s also a Blues fan and a pretty good guitarist.

In short, he’s the kind of politician or minister many Indians would like to vote for.

And vote they do, in fact. Deora’s won the Mumbai (South) parliamentary constituency two times in a row, garnering nearly twice his next opponent’s votes during the 2009 elections.

Which is why it’s surprising, and saddening, to see Deora trot out a patently false set of answers to how America’s global dragnet of Internet surveillance is affecting the privacy of Indians.

On 16th August Deora responded to a question from Rajya Sabha M.P. and BJP Spokesperson Prakash Javadekar, asking the following:

(a) whether it is a fact that India was the fifth most tracked country by the United States intelligence, particularly on the internet;
(b) if so, the details thereof;
(c) the impact of USA”s surveillance program-Prism and Boundless Information on the country; and
(d) the steps Government intends to take to protect country”s interests and the privacy of its citizens?

Javadekar’s question was sorely needed in light of the near-daily disclosures being made about the scarily omnipresent extent to which the US Government spies on global Internet users through a myriad of ways.

India, as Javadekar rightly pointed out, was indeed the fifth most monitored country under the “Boundless Informant” data mining tool that tracks the NSA’s (the US’ lead communications spy agency) global surveillance efforts. In just March 2013 alone, according to a leaked presentation on the tool, the NSA collected 6.3 billion pieces of information from India. Suffice it to say, the information would have come from Indian citizens, businesses, ministries, bureaucrats and of course, members of Parliament (most of who now use webmail and social network from the likes of Google and Facebook).

The only countries that were spied upon more than us were Iran, Pakistan, Jordan and Egypt. Some sobering company, that!

One would thus expect Deora to be seized of the urgency and concern behind Javadekar’s questions. His answer was:

(a) & (b) In June 2013, Media reports have disclosed that India is the fifth largest target of United States electronic surveillance programmes, in terms of interception of communications on fibre cables and other infrastructure. As per media reports, United States agencies used a number of methods to gather intelligence including intercepting communication on fibre cables and infrastructure, collecting information from servers of global internet and Telecom Service Providers. Such companies include Google, Facebook, Microsoft, Apple, Yahoo, AOL,Youtube, Paltalk and Skype.

Here we have a member of Parliament asks India’s Minister for Communications & IT about the extent to which Indian citizens and businesses are being spied upon by the US – ostensibly a friendly country – and all the Minister could do was cite newspaper reports?

What about your own investigations Mr.Minister? What is the opinion of your leading spy agencies like the NTRO, R&AW and IB? Are they also relying on newspaper reports?

But wait, Deora does go on to provide a few more answers:

(c) & (d) Government has expressed concerns over reported United States monitoring of internet traffic from India. Concerns with regard to violation of any Indian laws relating to privacy of information of ordinary Indian citizen as well as intrusive data capture deployed against Indian citizens or government infrastructure have been conveyed to the United States. The issue of United States Cyber surveillance activities was discussed during the Indo-US (India United States ) strategic dialogue meeting held in New Delhi on 24.06.2013.

Whew. That was reassuring. We expressed “concerns with regard to violation of any Indian laws relating to privacy of information” to the US during a “strategic dialogue meeting”.

Let me guess what the US side responded: “Sure. We’ll do that. Come back to us when you have a privacy law. Ha ha!”

As Sunil Abraham, the director for the Center for Internet & Society points out in Forbes India, India has no modern and comprehensive privacy law. And the government is working on a new one for only the last three years:

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.

Which brings me to the final part of Deora’s response to Javadekar:

United States official responded that PRISM dealt only with Meta Data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored. United States Officials maintained that data content/content of emails are not accessed or not monitored under these surveillance programmes; therefore, it is not a violation of privacy. It was stated by United States that its agencies need to get separate authorization from Foreign Intelligence Surveillance Act (FISA) court, if they want to access the content of any of the data intercepted by these surveillance programmes.

Dear Mr.Minister, either you have been lied to by your friendly “United States Official”, or, well…

Firstly, by limiting the answer to only PRISM, which happens to be just one of the NSA’s secret tools for online surveillance, you are willfully or inadvertently narrowing down Javadekar’s question which specifically mentions other tools like Boundless Informant.

Almost all of the big Internet companies revealed to be part of the NSA’s global spying mechanism have also used the same tactic to tailor their denials. I suppose they got the cue from the NSA, which loves using the “Under This Program” dodge to derail specific questions about its secret programs, according to the Electronic Frontier Foundation:

Another tried and true technique in the NSA obfuscation playbook is to deny it does one invasive thing or another “under this program.” When it’s later revealed the NSA actually does do the spying it said it didn’t, officials can claim it was just part of another program not referred to in the initial answer.

In case you weren’t aware of the NSA’s obfuscation tactics Mr.Minister, here is another great piece on it from the Slate – “How to Decode the True Meaning of What NSA Officials Say”

Thus when your friendly US official tells you that “only meta data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored” under PRISM, not “data content/content of emails”, he or she is technically right.

Because the NSA has other programs that capture all of that. For instance, XKeyscore, which according to leaked presentations, it can capture “nearly everything a typical user does on the internet”. This includes emails, visits to websites, web searches and Facebook chats & private messages.

Did you also know, Mr. Minister, that the XKeyscore surveillance program has servers located inside India?

Finally, you make a statement that is patently false. You say that US spy agencies need authorizations from the secret Foreign Intelligence Surveillance Courts (FISC) in order to access the data collected by various surveillance programs.

FISA courts almost always approve any request made to them (they apparently rejected just 11 requests out of 33,900 made by the US government in the last 33 years), so that’s that for oversight.

And in the NSA’s Orwellian world of doublespeak, large scale interception and storage of Internet communications isn’t considered “collected” till such time one of their agents has had a chance to look at it. Which means if you’re reading this post – the NSA’s secret servers over the world and in India can coolly capture that and store it in vast databases for posterity – without it ever registering as a “collection” or requiring any approval from FISA courts.

Fact is, Mr.Minister, we “foreigners” (unless you belong to one of the four other countries that are part of the “Five Eyes” alliance, in which case you’ll be treated with a wee bit more caution) , that is, us, are fair game:

The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.

The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.

We expected better answers from you Mr.Minister – sorry, expect better.

Alas your recent answers don’t inspire much trust, for instance when you tell us constant surveillance is “good for us” and “will enhance the privacy of citizens”.

Or when you tell us that “Google Hangouts” – a service provided by a company that looms over nearly everything Indians do online – is a better medium to reach out to people than Parliament or Television.

We deserve the truth from you Mr.Minister. Just like Prakash Javadekar.

For more details visit https://cis-india.org/news/forbesindia-august-22-2013-rohin-dharmakumar-dear-milind-deora-prakash-javadekar-deserved-the-truth

Freedom from Monitoring: India Inc Should Push For Privacy Laws

sunil — 2013-08-21T07:04:48Z

More surveillance than absolutely necessary actually undermines the security objective.

This article by Sunil Abraham was published in Forbes India Magazine on August 21, 2013.

I think I understand why the average Indian IT entrepreneur or enterprise does not have a position on blanket surveillance. This is because the average Indian IT enterprise’s business model depends on labour arbitrage, not intellectual property. And therefore they have no worries about proprietary code or unfiled patent applications being stolen by competitors via rogue government officials within projects such as NATGRID, UID and, now, the CMS.

A sub-section of industry, especially the technology industry, will always root for blanket surveillance measures. The surveillance industry has many different players, ranging from those selling biometric and CCTV hardware to those providing solutions for big data analytics and legal interception systems. There are also more controversial players who provide spyware, especially those in the market for zero-day exploits. The cheerleaders for the surveillance industry are techno-determinists who believe you can solve any problem by throwing enough of the latest and most expensive technology at it.

What is surprising, though, is that other indigenous or foreign enterprises that depend on secrecy and confidentiality—in sectors such a banking, finance, health, law, ecommerce, media, consulting and communications—also don’t seem to have a public position on the growing surveillance ambitions of ‘democracies’ such as India and the United States of America. (Perhaps the only exceptions are a few multinational internet and software companies that have made some show of resistance and disagreement with the blanket surveillance paradigm.)

Is it because these businesses are patriotic? Do they believe that secrecy, confidentiality and, most importantly, privacy, must be sacrificed for national security? If that were true then it would not be a particularly wise thing to do, as privacy is the precondition for security. Ann Cavoukian, privacy commissioner of Ontario, calls it a false dichotomy. Bruce Schneier, security technologist and writer, calls it a false zero sum game; he goes on to say, “There is no security without privacy. And liberty requires both security and privacy.”

The reason why the secret recipe of Coca Cola is still secret after over 120 years is the same as the reason why a captured soldier cannot spill the beans on the overall war strategy. Corporations, like militaries, have layers and layers of privacy and secrecy. The ‘need to know’ principle resists all centralising tendencies, such as blanket surveillance. It’s important to note that targeted surveillance to identify a traitor or spy within the military, or someone engaged in espionage within a corporation, is pretty much an essential. However, any more surveillance than absolutely necessary actually undermines the security objective. To summarise, privacy is a pre-condition to the security of the individual, the enterprise, the military and the nation state.

Most people complaining online about projects like the Central Monitoring System seem to think that India has no privacy laws. This is completely untrue: We have around 50 different laws, rules and regulations that aim to uphold privacy and confidentiality in various domains. Unfortunately, most of those policies are very dated and do not sufficiently take into account the challenges of contemporary information societies. These policy documents need to be updated and harmonised through the enactment of a new horizontal privacy law. A small minority will say that Section 43(A) of the Information Technology Act is the India privacy law. That is not completely untrue, but is a gross exaggeration. Section 43(A) is really only a data security provision and, at that, it does not even comprehensively address data protection, which is only a sub-set of the overall privacy regulation required in a nation.

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.

The Indian ITES, KPO and BPO sector should be particularly pleased with this development. As should any other Indian enterprise that holds personal information of EU and US nationals. This is because the EU, after the enactment of the law, will consider data protection in India adequate as per the requirements of its Data Protection Directive. This would mean that these enterprises would not have to spend twice the time and resources ensuring compliance with two different regulatory regimes.

Is the lack of enthusiasm for privacy in the Indian private sector symptomatic of Indian societal values? Can we blame it on cultural relativism, best exemplified by what Simon Davies calls “the Indian Train Syndrome, in which total strangers will disclose their lives on a train to complete strangers”? But surely, when email addresses are exchanged at the end of that conversation, they are not accompanied by passwords. Privacy is perhaps differently configured in Indian societies but it is definitely not dead. Fortunately for us, calls to protect this important human right are growing every day.

For more details visit https://cis-india.org/internet-governance/blog/forbesindia-article-august-21-2013-sunil-abraham-freedom-from-monitoring

Balancing vigilance and privacy

praskrishna — 2013-09-05T10:53:28Z

As the government steps up its surveillance capabilities, the entire social contract between the state and citizens is being reformulated, with worrying consequences.

This article by Prashant Jha was published in the Hindu on August 18, 2013. Pranesh Prakash is quoted.

The Indian state is arming itself with both technological capabilities and the institutional framework to track the lives of citizens in an unprecedented manner.

A new Centralised Monitoring System (CMS) is in the offing, which would build on the already existing mechanisms. As The Hindu reported on June 21, this would allow the government to access in real-time any mobile and fixed line conversation, SMS, fax, website visit, social media usage, Internet search and email, and will have ‘unmatched capabilities of deep search surveillance and monitoring’.

Civil society groups and citizens expressed concern about the government’s actions, plans, and intent at a discussion organised by the Foundation for Media Professionals, on Saturday.

The context

Usha Ramanathan, a widely respected legal scholar, pointed to the larger political context which had permitted this form of surveillance. It stemmed, she argued, from a misunderstanding of the notion of sovereignty. “It is not the government, but the people who are sovereign.” Laws and the Constitution are about limiting the power of the state, but while people were being subjected to these restrictions, the government itself had found ways to remain above it – either by not having laws, or having ineffective regulators. States knew the kind of power they exercised over citizens, with the result that ‘impunity had grown’.

“There is also a complete breakdown of the criminal justice system,” Ms Ramanathan said. This had resulted in a reliance on extra-judicial methods of investigation, and ‘scape-goating’ had become the norm. ‘National security’ had been emphasised, re-emphasised, and projected as the central goal. “We haven’t paused to ask what this means, and the extent to which we have been asked to give up personal security for the sake of national security.” It was in this backdrop that technology had advanced by leaps, and made extensive surveillance possible.

The implications are enormous. The data is often used for purposes it is not meant for, including political vendetta, keeping track of rivals, corporates, and digging out facts about a citizen when he may have antagonised those in power.

Pranesh Prakash, director of the Centre of Internet and Society (CIS) looked back at the killing of Haren Pandya, the senior Bharatiya Janata Party (BJP) leader in Gujarat. Mr Pandya was using the SIM card of a friend, and it was by tracking the SIM, and through it his location, that the Gujarat government got to know that Mr Pandya had deposed before a commission and indicted the administration for its role in the riots. Eventually, he was found murdered outside a park in Ahmedabad. The Gujarat Police had accessed call details of 90,000 phones.

It is also not clear whether mining this kind of data has been effective for the national security purposes, which provide the reason for doing it in the first place. Saikat Datta, resident editor of Daily News and Analysis, and an expert on India’s intelligence apparatus, said a core problem was the absence of any auditing and over sight. “There needs to be a constant review of the number of calls, emails under surveillance, with questions about whether it is yielding results. But this does not happen, probably because a majority is not for counter-terrorism. There would be trouble if you build accountability mechanisms.” When he sought information under RTI around precisely such issues, he was denied information on the grounds that it would strengthen ‘enemies of the state’.

Anja Kovacs, who works with the Internet Democracy Project, said this form of “mass surveillance” criminalised everybody since it was based on the assumption that each citizen was a “potential criminal”. She also pointed out that having “more information” did not necessarily mean it was easier to address security threats – there was intelligence preceding the Mumbai attacks, but it was not acted upon. She added, “Most incidents have been resolved by traditional intelligence. Investing in agencies, training them better could be more effective.”

Bring in the caveats

Few argue that the state is not entitled to exercise surveillance at all. In fact, a social contract underpins democratic states. Citizens agree to subject some of their rights to restrictions, and vest the state with the monopoly over instruments and use of violence. In turn, the state – acting within a set of legal principles; being accountable to citizens; and renewing its popular legitimacy through different measures, including elections – provides order and performs a range of developmental functions.

This framework, citizens and civil liberty groups worry, is under threat with governments appropriating and usurping authority to conduct unprecedented surveillance. Citizen groups, technology and privacy experts came together globally to draft the International Principles on the Application of Human Rights to Communication Surveillance.

It prescribed that any restriction to privacy through surveillance must be ‘legal’; it must be for a ‘legitimate aim’; it must be ‘strictly and demonstrably necessary’; it must be preceded by showing to an established authority that other ‘less invasive investigative techniques’ have been used; it must follow ‘due process’; decisions must be taken by a ‘competent judicial authority’; there must be ‘public oversight’ mechanisms; and ‘integrity of communications and systems’ should be maintained. (Full text available on www.necessaryandproportionate.org)Mr Prakash of CIS, which has done extensive work on surveillance and privacy issues, said, “An additional principle must be collection limitation or data minimisation.” Giving the instance of Indian Railways seeking the date of birth from a customer booking a ticket, Mr Prakash said this was not information which was necessary. But it could be used by hackers and many other agencies to access an individual’s private transactions in other areas. The UPA government is finalising a privacy Bill, but its final version is not yet public, and it is not clear how far the government would go in protecting citizen rights.

For more details visit https://cis-india.org/news/the-hindu-august-19-2013-prashant-jha-balancing-vigilance-and-privacy

How Next-Gen Smartphone Users are Being Bought and Sold

praskrishna — 2013-09-05T10:48:18Z

After facebook and google, Twitter became the latest to buy millions of Indian smartphone users in July.

This article by Rohin Dharmakumar was published by Forbes India Magazine on August 13, 2013, and later mirrored in IBN Live on August 19, 2013. Sunil Abraham is quoted.

Now, the actual announcement was about how Twitter had partnered with Vodafone India to offer its services ‘free of cost’ to mobile subscribers for three months. It had already inked similar deals with Airtel and Reliance, according to Medianama, a digital media news site. Google and Facebook, too, announced such agreements during the past year, whereby mobile subscribers could use their service ‘free of cost’ through their phones.

Nothing is really ‘free’ on the web, which is why we have the adage: “If you’re not paying for it, you are the product”. So these large web companies are actually buying millions of first-time mobile internet users by paying off their respective mobile operators. Of India’s 137 million internet users, roughly 120 million access mobile internet.

Sunil Abraham, director of the Centre for Internet & Society in Bangalore, thinks India could be going down the Indonesia route. “If you ask the average Indonesian mobile user if he or she has internet access, they might say no. Ask them if they have Facebook or Twitter, and they’ll say yes!” Incidentally, 96 percent of Indonesians use social media, mostly from their phones.

Smaller competitors to Facebook, Google and Twitter who can’t afford to pay mobile operators on similar terms will find their competitiveness shrinking. Meanwhile, a large number of Indians will balk at paying for internet usage on their phones because the social networks are all ‘free’.

For more details visit https://cis-india.org/news/forbesindia-august-13-2013-rohin-dharmakumar-how-nextgen-smartphone-users-are-being-bought-and-sold

Surveillance: Privacy Vs Security

praskrishna — 2013-08-19T05:32:55Z

The Foundation for Media Professionals is organizing a debate at the India International Centre, New Delhi on August 17, 2013. Shri Kapil Sibal will give the opening speech. Natgrid chief Raghu Raman is one of the debaters. Pranesh Prakash is participating in this event as a panelist.

This was published by the Foundation for Media Professionals on their website. Also read the blog post by Vivian Fernandes and Ninglun Hanghal.

In the backdrop of the recent disclosures by US defense contractor Edward Snowden about the activity of the National Security Agency (NSA) and reports that NSA may have collaborated with India on surveillance program in the country that have raised concerns about privacy and right of citizens, Foundation for Media Professionals (FMP) in partnership with Friedrich Ebert Stiftung (FES) invited Pranesh Prakash to a panel discussion on "Surveillance: Privacy vs. Security".

Guest Speaker
Kapil Sibal, Union Minister for Communications and Information Technology, Govt. of India

Panelists

Pranesh Prakash, Policy Director, Centre for Internet and Society

Dr. Usha Ramanathan, Independent Law Researcher
Saikat Datta, Resident Editor, DNA
Capt. Raghu Raman, National Intelligence Grid (Natgrid)

Moderator

Paranjoy Guha Thakurta

For more details visit https://cis-india.org/news/foundation-for-media-professionals-august-17-2013-surveillance-privacy-v-security

FinFisher in India and the Myth of Harmless Metadata

maria — 2013-08-13T11:30:15Z

In this article, Maria Xynou argues that metadata is anything but harmless, especially since FinFisher — one of the world's most controversial types of spyware — uses metadata to target individuals.

In light of PRISM, the Central Monitoring System (CMS) and other such surveillance projects in India and around the world, the question of whether the collection of metadata is “harmless” has arisen.[1] In order to examine this question, FinFisher[2] — surveillance spyware — has been chosen as a case study to briefly examine to what extent the collection and surveillance of metadata can potentially violate the right to privacy and other human rights. FinFisher has been selected as a case study not only because its servers have been recently found in India[3] but also because its “remote monitoring solutions” appear to be very pervasive even on the mere grounds of metadata.

FinFisher in India

FinFisher is spyware which has the ability to take control of target computers and capture even encrypted data and communications. The software is designed to evade detection by anti-virus software and has versions which work on mobile phones of all major brands.[4] In many cases, the surveillance suite is installed after the target accepts installation of a fake update to commonly used software.[5] Citizen Lab researchers have found three samples of FinSpy that masquerades as Firefox.[6]

FinFisher is a line of remote intrusion and surveillance software developed by Munich-based Gamma International. FinFisher products are sold exclusively to law enforcement and intelligence agencies by the UK-based Gamma Group.[7] A few months ago, it was reported that command and control servers for FinSpy backdoors, part of Gamma International´s FinFisher “remote monitoring solutions”, were found in a total of 25 countries, including India.[8]

The following map, published by the Citizen Lab, shows the 25 countries in which FinFisher servers have been found.[9]


The above map shows the results of scanning for characteristics of FinFisher command and control servers.

FinFisher spyware was not found in the countries coloured blue, while the colour green is used for countries not responding. The countries using FinFisher range from shades of orange to shades of red, with the lightest shade of orange ranging to the darkest shade of red on a scale of 1-6, and with 1 representing the least active servers and 6 representing the most active servers in regards to the use of FinFisher. On a scale of 1-6, India is marked a 3 in terms of actively using FinFisher.[10]

Research published by the Citizen Lab reveals that FinSpy servers were recently found in India, which indicates that Indian law enforcement agencies may have bought this spyware from Gamma Group and might be using it to target individuals in India.[11] According to the Citizen Lab, FinSpy servers in India have been detected through the HostGator operator and the first digits of the IP address are: 119.18.xxx.xxx. Releasing complete IP addresses in the past has not proven useful, as the servers are quickly shut down and relocated, which is why only the first two octets of the IP address are revealed.[12]

The Citizen Lab's research reveals that FinFisher “remote monitoring solutions” were found in India, which, according to Gamma Group's brochures, include the following:

FinSpy: hardware or software which monitors targets that regularly change location, use encrypted and anonymous communications channels and reside in foreign countries. FinSpy can remotely monitor computers and encrypted communications, regardless of where in the world the target is based. FinSpy is capable of bypassing 40 regularly tested antivirus systems, of monitoring the calls, chats, file transfers, videos and contact lists on Skype, of conducting live surveillance through a webcam and microphone, of silently extracting files from a hard disk, and of conducting a live remote forensics on target systems. FinSpy is hidden from the public through anonymous proxies.[13]

FinSpy Mobile: hardware or software which remotely monitors mobile phones. FinSpy Mobile enables the interception of mobile communications in areas without a network, and offers access to encrypted communications, as well as to data stored on the devices that is not transmitted. Some key features of FinSpy Mobile include the recording of common communications like voice calls, SMS/MMS and emails, the live surveillance through silent calls, the download of files, the country tracing of targets and the full recording of all BlackBerry Messenger communications. FinSpy Mobile is hidden from the public through anonymous proxies.[14]

FinFly USB: hardware which is inserted into a computer and which can automatically install the configured software with little or no user-interaction and does not require IT-trained agents when being used in operations. The FinFly USB can be used against multiple systems before being returned to the headquarters and its functionality can be concealed by placing regular files like music, video and office documents on the device. As the hardware is a common, non-suspicious USB device, it can also be used to infect a target system even if it is switched off.[15]

FinFly LAN: software which can deploy a remote monitoring solution on a target system in a local area network (LAN). Some of the major challenges law enforcement faces are mobile targets, as well as targets who do not open any infected files that have been sent via email to their accounts. FinFly LAN is not only able to deploy a remote monitoring solution on a target´s system in local area networks, but it is also able to infect files that are downloaded by the target, by sending fake software updates for popular software or to infect the target by injecting the payload into visited websites. Some key features of the FinFly LAN include: discovering all computer systems connected to LANs, working in both wired and wireless networks, and remotely installing monitoring solutions through websites visited by the target. FinFly LAN has been used in public hotspots, such as coffee shops, and in the hotels of targets.[16]

FinFly Web: software which can deploy remote monitoring solutions on a target system through websites. FinFly Web is designed to provide remote and covert infection of a target system by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the agent to easily create a custom infection code according to selected modules. It provides fully-customizable web modules, it can be covertly installed into every website and it can install the remote monitoring system even if only the email address is known.[17]

FinFly ISP: hardware or software which deploys a remote monitoring solution on a target system through an ISP network. FinFly ISP can be installed inside the Internet Service Provider Network, it can handle all common protocols and it can select targets based on their IP address or Radius Logon Name. Furthermore, it can hide remote monitoring solutions in downloads by targets, it can inject remote monitoring solutions as software updates and it can remotely install monitoring solutions through websites visited by the target.[18]

Although FinFisher is supposed to be used for “lawful interception”, it has gained notoriety for targeting human rights activists.[19] According to Morgan Marquis-Boire, a security researcher and technical advisor at the Munk School and a security engineer at Google, FinSpy has been used in Ethiopia to target an opposition group called Ginbot.[20] Researchers have argued that FinFisher has been sold to Bahrain's government to target activists, and such allegations were based on an examination of malicious software which was emailed to Bahraini activists.[21] Privacy International has argued that FinFisher has been deployed in Turkmenistan, possibly to target activists and political dissidents.[22]

Many questions revolving around the use of FinFisher and its “remote monitoring solutions” remain vague, as there is currently inadquate proof of whether this spyware is being used to target individuals by law enforcement agencies in the countries where command and control servers have been found, such as India.[23] However, FinFisher's brochures which were circulated in the ISS world trade shows and leaked by WikiLeaks do reveal some confirmed facts: Gamma International claims that its FinFisher products are capable of taking control of target computers, of capturing encrypted data and of evading mainstream anti-virus software.[24] Such products are exhibited in the world's largest surveillance trade show and probably sold to law enforcement agencies around the world.[25] This alone unveils a concerning fact: spyware which is so sofisticated that it even evades encryption and anti-virus software is currently in the market and law enforcement agencies can potentially use it to target activists and anyone who does not comply with social conventions.[26] A few months ago, two Indian women were arrested after having questioned the shutdown of Mumbai for Shiv Sena patriarch Bal Thackeray's funeral.[27] Thus, it remains unclear what type of behaviour is targeted by law enforcement agencies and whether spyware, such as FinFisher, would be used in India to track individuals without a legally specified purpose.

Furthermore, India lacks privacy legislation which could safeguard individuals from potential abuse, while sections 66A and 69 of the Information Technology (Amendment) Act, 2008, empower Indian authorities with extensive surveillance capabilites.[28] While it remains unclear if Indian law enforcement agencies are using FinFisher spy products to unlawfully target individuals, it is a fact that FinFisher control and command servers have been found in India and that, if used, they could potentially have severe consequences on individuals' right to privacy and other human rights.[29]

The Myth of Harmless Metadata

Over the last months, it has been reported that the Central Monitoring System (CMS) is being implemented in India, through which all telecommunications and Internet communications in the country are being centrally intercepted by Indian authorities. This mass surveillance of communications in India is enabled by the omission of privacy legislation and Indian authorities are currently capturing the metadata of communications.[30]

Last month, Edward Snowden leaked confidential U.S documents on PRISM, the top-secret National Security Agency (NSA) surveillance programme that collects metadata through telecommunications and Intenet communications. It has been reported that through PRISM, the NSA has tapped into the servers of nine leading Internet companies: Microsoft, Google, Yahoo, Skype, Facebook, YouTube, PalTalk, AOL and Apple.[31] While the extent to which the NSA is actually tapping into these servers remains unclear, it is certain that the NSA has collected metadata on a global level.[32] Yet, the question of whether the collection of metadata is “harmful” remains ambiguous.

According to the National Information Standards Organization (NISO), the term “metadata” is defined as “structured information that describes, explains, locates or otherwise makes it easier to retrieve, use or manage an information resource”. NISO claims that metadata is “data about data” or “information about information”.[33] Furthermore, metadata is considered valuable due to its following functions:

Resource discovery
Organizing electronic resources
Interoperability
Digital Identification
Archiving and preservation

Metadata can be used to find resources by relevant criteria, to identify resources, to bring similar resources together, to distinguish dissimilar resources and to give location information. Electronic resources can be organized through the use of various software tools which can automatically extract and reformat information for Web applications. Interoperability is promoted through metadata, as describing a resource with metadata allows it to be understood by both humans and machines, which means that data can automatically be processed more effectively. Digital identification is enabled through metadata, as most metadata schemes include standard numbers for unique identification. Moreover, metadata enables the archival and preservation of large volumes of digital data.[34]

Surveillance projects, such as PRISM and India's CMS, collect large volumes of metadata, which include the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number, email addresses, IP addresses and browsed webpages.[35] However, the fact that such surveillance projects may not have access to content data might potentially create a false sense of security.[36] When Microsoft released its report on data requests by law enforcement agencies around the world in March 2013, it revealed that most of the disclosed data was metadata, while relatively very little content data was allegedly disclosed.[37]

imilarily, Google's transparency report reveals that the company disclosed large volumes of metadata to law enforcement agencies, while restricting its disclosure of content data.[38]

Such reports may potentially provide a sense of security to the public, as they reassure that the content of personal emails, for example, has not been shared with the government, but merely email addresses – which might be publicly available online anyway. However, is content data actually more “harmful” than metadata? Is metadata “harmless”? How much data does metadata actually reveal?

The Guardian recently published an article which includes an example of how individuals can be tracked through their metadata. In particular, the example explains how an individual is tracked – despite using an anonymous email account – by logging in from various hotels' public Wi-Fi and by leaving trails of metadata that include times and locations. This example illustrates how an individual can be tracked through metadata alone, even when anonymous accounts are being used.[39]

Wired published an article which states that metadata can potentially be more harmful than content data because “unlike our words, metadata doesn't lie”. In particular, content data shows what an individual says – which may be true or false – whereas metadata includes what an individual does. While the validity of the content within an email may potentially be debateable, it is undeniable that an individual logged into specific websites – if that is what that individuals' IP address shows. Metadata, such as the browsing habits of an individual, may potentially provide a more thorough and accurate profile of an individual than that individuals' email content, which is why metadata can potentially be more harmful than content data.[40]

Furthermore, voice content is hard to process and written content in an email or chat communication may not always be valid. Metadata, on the other hand, provides concrete patterns of an individuals' behaviour, interests and interactions. For example, metadata can potentially map out an individuals' political affiliation, interests, economic background, institution, location, habits and the people that individual interacts with. Such data can potentially be more valuable than content data, because while the validity of email content is debateable, metadata usually provides undeniable facts. Not only is metadata more accurate than content data, but it is also ideally suited to automated analysis by a computer. As most metadata includes numeric figures, it can easily be analysed by data mining software, whereas content data is more complicated.[41]

FinFisher products, such as FinFly LAN, FinFly Web and FinFly ISP, provide solid proof that the collection of metadata can potentially be “harmful”. In particular, FinFly LAN can be deployed in a target system in a local area network (LAN) by infecting files that are downloaded by the target, by sending fake software updates for popular software or by infecting the payload into visited websites. The fact that FinFly LAN can remotely install monitoring solutions through websites visited by the target indicates that metadata alone can be used to acquire other sensitive data.[42]

FinFly Web can deploy remote monitoring solutions on a target system through websites. Additionally, FinFly Web can be covertly installed into every website and it can install the remote monitoring system even if only the email address is known.[43] FinFly ISP can select targets based on their IP address or Radius Logon Name. Furthermore, FinFly ISP can remotely install monitoring solutions through websites visited by the target, as well as inject remote monitoring solutions as software updates.[44] In other words, FinFisher products, such as FinFly LAN, FinFly Web and FinFly ISP, can target individuals, take control of their computers and their data, and capture even encrypted data and communications with the help of metadata alone.

The example of FinFisher products illustrates that metadata can potentially be as “harmful” as content data, if acquired unlawfully and without individual consent.[45] Thus, surveillance schemes, such as PRISM and India's CMS, which capture metadata without individuals' consent can potentially pose a major threat to the right to privacy and other human rights.[46] Privacy can be defined as the claim of individuals, groups or institutions to determine when, how and to what extent information about them is communicated to others.[47] Furthermore, privacy is at the core of human rights because it protects individuals from abuse by those in power.[48] The unlawful collection of metadata exposes individuals to the potential violation of their human rights, as it is not transparent who has access to their data, whether it is being shared with third parties or for how long it is being retained.

It is not clear if Indian law enforcement agencies are actually using FinFisher products, but the Citizen Lab did find FinFisher command and control servers in the country which indicates that there is a high probability that such spyware is being used.[49] This probability is highly concerning not only because the specific spy products have such advanced capabilities that they are even capable of capturing encrypted data, but also because India currently lacks privacy legislation which could safeguard individuals.

Thus, it is recommended that Indian law enforcement agencies are transparent and accountable if they are using spyware which can potentially breach their citizens' human rights and that privacy legislation is enacted into law. Lastly, it is recommended that all surveillance technologies are strictly regulated with regards to the protection of human rights and that Indian authorities adopt the principles on communication surveillance formulated by the Electronic Frontier Foundation and Privacy International.[50] The above could provide a decisive first step in ensuring that India is the democracy it claims to be.

[1]. Robert Anderson (2013), “Wondering What Harmless 'Metadata' Can Actually Reveal? Using Own Data, German Politician Shows Us”, The CSIA Foundation, http://bit.ly/1cIhu7G

[2]. Gamma Group, FinFisher IT Intrusion, http://bit.ly/fnkGF3

[3]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, “You Only Click Twice: FinFisher's Global Proliferation”, The Citizen Lab, 13 March 2013, http://bit.ly/YmeB7I

[4]. Michael Lewis, “FinFisher Surveillance Spyware Spreads to Smartphones”, The Star: Business, 30 August 2012, http://bit.ly/14sF2IQ

[5]. Marcel Rosenbach, “Troublesome Trojans: Firm Sought to Install Spyware Via Faked iTunes Updates”, Der Spiegel, 22 November 2011, http://bit.ly/14sETVV

[6]. Intercept Review, Mozilla to Gamma: stop disguising your FinSpy as Firefox, 02 May 2013, http://bit.ly/131aakT

[7]. Intercept Review, LI Companies Review (3) – Gamma, 05 April 2012, http://bit.ly/Hof9CL

[8]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, For Their Eyes Only: The Commercialization of Digital Spying, Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, 01 May 2013, http://bit.ly/ZVVnrb

[9]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, “You Only Click Twice: FinFisher's Global Proliferation”, The Citizen Lab, 13 March 2013, http://bit.ly/YmeB7I

[10]. Ibid.

[11]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, For Their Eyes Only: The Commercialization of Digital Spying, Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, 01 May 2013, http://bit.ly/ZVVnrb

[12]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, “You Only Click Twice: FinFisher's Global Proliferation”, The Citizen Lab, 13 March 2013, http://bit.ly/YmeB7I

[13]. Gamma Group, FinFisher IT Intrusion, FinSpy: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/zaknq5

[14]. Gamma Group, FinFisher IT Intrusion, FinSpy Mobile: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/19pPObx

[15]. Gamma Group, FinFisher IT Intrusion, FinFly USB: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/1cJSu4h

[16]. Gamma Group, FinFisher IT Intrusion, FinFly LAN: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/14J70Hi

[17]. Gamma Group, FinFisher IT Intrusion, FinFly Web: Remote Monitoring & Intrusion Solutions, WikiLeaks: The Spy Files, http://bit.ly/19fn9m0

[18]. Gamma Group, FinFisher IT Intrusion, FinFly ISP: Remote Monitoring & Intrusion Solutions, WikiLeaks: The Spy Files, http://bit.ly/13gMblF

[19]. Gerry Smith, “FinSpy Software Used To Surveil Activists Around The World, Reports Says”, The Huffington Post, 13 March 2013, http://huff.to/YmmhXI

[20]. Jeremy Kirk, “FinFisher Spyware seen Targeting Victims in Vietnam, Ethiopia”, Computerworld: IDG News, 14 March 2013, http://bit.ly/14J8BwW

[21]. Reporters without Borders: For Freedom of Information (2012), The Enemies of the Internet: Special Edition: Surveillance, http://bit.ly/10FoTnq

[22]. Privacy International, FinFisher Report, http://bit.ly/QlxYL0

[23]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, “You Only Click Twice: FinFisher's Global Proliferation”, The Citizen Lab, 13 March 2013, http://bit.ly/YmeB7I

[24]. Gamma Group, FinFisher IT Intrusion, FinSpy: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/zaknq5

[25]. Adi Robertson, “Paranoia Thrives at the ISS World Cybersurveillance Trade Show”, The Verge, 28 December 2011, http://bit.ly/tZvFhw

[26]. Gerry Smith, “FinSpy Software Used To Surveil Activists Around The World, Reports Says”, The Huffington Post, 13 March 2013, http://huff.to/YmmhXI

[27]. BBC News, “India arrests over Facebook post criticising Mumbai shutdown”, 19 November 2012, http://bbc.in/WoSXkA

[28]. Indian Ministry of Law, Justice and Company Affairs, The Information Technology (Amendment) Act, 2008, http://bit.ly/19pOO7t

[29]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, For Their Eyes Only: The Commercialization of Digital Spying, Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, 01 May 2013, http://bit.ly/ZVVnrb

[30]. Phil Muncaster, “India introduces Central Monitoring System”, The Register, 08 May 2013, http://bit.ly/ZOvxpP

[31]. Glenn Greenwald & Ewen MacAskill, “NSA PRISM program taps in to user data of Apple, Google and others”, The Guardian, 07 June 2013, http://bit.ly/1baaUGj

[32]. BBC News, “Google, Facebook and Microsoft seek data request transparency”, 12 June 2013, http://bbc.in/14UZCCm

[33]. National Information Standards Organization (2004), Understanding Metadata, NISO Press, http://bit.ly/LCSbZ

[34]. Ibid.

[35]. The Hindu, “In the dark about 'India's PRISM'”, 16 June 2013, http://bit.ly/1bJCXg3 ; Glenn Greenwald, “NSA collecting phone records of millions of Verizon customers daily”, The Guardian, 06 June 2013, http://bit.ly/16L89yo

[36]. Robert Anderson, “Wondering What Harmless 'Metadata' Can Actually Reveal? Using Own Data, German Politician Shows Us”, The CSIA Foundation, 01 July 2013, http://bit.ly/1cIhu7G

[37]. Microsoft: Corporate Citizenship, 2012 Law Enforcement Requests Report,http://bit.ly/Xs2y6D

[38]. Google, Transparency Report, http://bit.ly/14J7hKp

[39]. Guardian US Interactive Team, A Guardian Guide to your Metadata, The Guardian, 12 June 2013, http://bit.ly/ZJLkpy

[40]. Matt Blaze, “Phew, NSA is Just Collecting Metadata. (You Should Still Worry)”, Wired, 19 June 2013, http://bit.ly/1bVyTJF

[41]. Ibid.

[42]. Gamma Group, FinFisher IT Intrusion, FinFly LAN: Remote Monitoring & Infection Solutions, WikiLeaks: The Spy Files, http://bit.ly/14J70Hi

[43]. Gamma Group, FinFisher IT Intrusion, FinFly Web: Remote Monitoring & Intrusion Solutions, WikiLeaks: The Spy Files, http://bit.ly/19fn9m0

[44]. Gamma Group, FinFisher IT Intrusion, FinFly ISP: Remote Monitoring & Intrusion Solutions, WikiLeaks: The Spy Files, http://bit.ly/13gMblF

[45]. Robert Anderson, “Wondering What Harmless 'Metadata' Can Actually Reveal? Using Own Data, German Politician Shows Us”, The CSIA Foundation, 01 July 2013, http://bit.ly/1cIhu7G

[46]. Shalini Singh, “India's surveillance project may be as lethal as PRISM”, The Hindu, 21 June 2013, http://bit.ly/15oa05N

[47]. Cyberspace Law and Policy Centre, Privacy, http://bit.ly/14J5u7W

[48]. Bruce Schneier, “Privacy and Power”, Schneier on Security, 11 March 2008, http://bit.ly/i2I6Ez

[49]. Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri & John Scott-Railton, For Their Eyes Only: The Commercialization of Digital Spying, Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto, 01 May 2013, http://bit.ly/ZVVnrb

[50]. Elonnai Hickok, “Draft International Principles on Communications Surveillance and Human Rights”, The Centre for Internet and Society, 16 January 2013, http://bit.ly/XCsk9b

For more details visit https://cis-india.org/internet-governance/blog/fin-fisher-in-india-and-myth-of-harmless-metadata

Chinese hackers baiting Indian govt, corporate employees: report

praskrishna — 2013-09-05T10:31:53Z

Hackers using fake subject headings to get users to open virus-laden email attachments.

This article by Moulishree Srivastava and Anirban Sen was published in Livemint on August 9, 2013. Sunil Abraham is quoted.

Using faked subject headings as diverse as Gujarat chief minister Narendra Modi and the Jallianwala Bagh Massacre, Chinese hackers have been baiting Indian government officials and corporate employees to open virus-laden emailed attachments and expose themselves to the risk of cyber attacks, a new report says.

The report on “advanced persistent cyber attacks” is based on an investigation conducted by security research firm Research Bundle in collaboration with CERT-ISAC. ISAC is a certification body for information technology (IT) security professionals that handles India’s National Security Database (NSD). CERT (Computer Emergency Response Team)-ISAC deals with mobile and electronic security.

“Some time back, there were a couple of high-profile cyber attacks that came to our notice when we were approached by corporates as well as government entities to look into them,” said Rajshekhar Murthy, director at CERT-ISAC, NSD, at the report’s release on Friday.

“First we thought it might be just these few incidents, but as we went deeper into it, it came to light that these threats were far more (widely) spread than we had initially perceived. During the course of our research, we got proof that the threats originated from China,” he said.

NSD, managed by ISAC and the government, is a programme that provides certification to IT professionals who have capability to protect critical infrastructure and the economy.

“Chinese hackers have been persistent in their attacks. According to our analysis, they have also made a separate wing for these operations,” Murthy said.

The report says, “It’s also a known fact the Indian government and other important sectors from India were heavily targeted during this campaign...focused on stealing confidential documents and sensitive information.”

The threat came in the form of emails with attached documents targeting government and corporate entities. “These documents exploited previously known vulnerabilities to drop ‘Travnet’ malware on to the systems,” said the report, prepared by 20 Internet security professionals over a period of six months.

“These emails showed that China has been gathering information about India and keeping up with current issues, and using those to entice people to open the attachments,” Murthy said.

Some of the attachments had names such as Army Cyber Security Policy 2013.doc, Jallianwala bagh massacre - a deeply shameful act.doc, Report - Asia Defense Spending Boom.doc, His Holiness the Dalai Lama’s visit to Switzerland day 3.doc, and BJP won’t dump Modi for Nitish NDA headed for split.doc.

The malware Travnet was specifically designed to search for “doc, docx, xls, xlsx, txt, rtf and pdf” files on the hacked computer.

“This provides enough hints that this malware was designed to steal confidential information, unlike the usual botnet variants that focus primarily on providing remote access to the system,” the report said. “The malware initially collects system information, a list of files on the victim machine among others, then sends this data to the remote Command & Control server...”

According to industry estimates, losses due to cyber theft from reported attacks alone amount to $8-10 billion (Rs.48,800-61,000 crore). But experts say the figure could be much higher as many threats go unreported.

Worryingly, the security infrastructure of Indian government websites has reportedly failed to keep pace with cyber attackers, who are becoming more focused on stealing information.

“Many of the servers that host ‘gov.in’ sites are running outdated software versions, with poorly managed Web servers that do not follow even the most basic Web application security guidelines,” said the report. “Even important government sites, access to which can lead to much deeper intrusion, seem to be managed with little care. While defacements are usually carried out by hackers just for fun or fame, serious hackers can cause much more damage and remain unnoticed for a very long time...”

“Slowly but steadily, serious APT (advanced, persistent attacks) campaigns are on the rise,” the report added. “It’s very important for the nation to start upgrading its IT infrastructure to keep up with the latest security guidelines and practices.”

“Cyber security has become one of the crucial areas for us and we are focusing on putting capacity and capability in place to strengthen the cyber security infrastructure,” said Alok Vijayant, director of the National Technical Research Organisation. “We want to bring IT security professionals under one entity to enhance our existing capability instead of just focusing on putting in additional security infrastructure.”

“India has one of the largest talent pools of IT professionals, but our biggest concern remains the young talent in IT, as most professionals prefer to go abroad to work,” he added.

Additionally, the use of proprietary rather than open-source software increases the vulnerability of Indian entities, according to Sunil Abraham, executive director of Bangalore-based research organization Centre for Internet and Society. “There’s a lack of use of Linux and other kinds of free software at both the desktop level and also the front end... They’re using Microsoft both at the server end and on the client end. Most of these attacks take advantage of that operating system dependency. If one were to look at it at a macro level, we’re vulnerable across the board—vulnerable to the US, we’re vulnerable to attackers from Europe, Pakistan, etc.,” Abraham said.

For more details visit https://cis-india.org/news/livemint-august-9-2013-moulishree-srivastava-anirban-sen-chinese-hackers-baiting-indian-govt-corporate-employees

Facebook: Limiting access to social media can restrict freedom of speech

praskrishna — 2013-08-08T04:07:38Z

In its counter-affidavit to the PIL in the Delhi high court, Facebook has argued that limiting access to social media can limit an individual's freedom of speech and expression.

Kim Arora's article was published in the Times of India on August 1, 2013. Sunil Abraham is quoted.

The PIL, among other things, deals with the issue of minors accessing Facebook services, arguing that under the Indian Contract Act 1872, minors can't enter into a contract. The PIL will be heard next on Friday.

Last year, the UN Human Rights Council had passed a resolution declaring access to Internet as a human right. Facebook has argued making a similar point for access to social media. "The Internet is increasingly becoming a platform for citizens including minors to interact and voice their opinions and, therefore, a meaningful interpretation of the right to freedom of speech and expression would include the freedom to access social media," the counter-affidavit says.

"It can be argued that in a technologically mediated society, social media and communication infrastructure is essential to exercise freedom of expression," says Sunil Abraham, director, Bangalore-based Center for Internet and Society.

Cyber lawyer Pavan Duggal sees it as "hyperbole". "The issue still remains that a minor doesn't have the capacity to act under the Contract Act," he says. Lawyers say that if a contract is entered into for free service in exchange of personal information, it is a "consideration" (like cash or kind) under the Indian Contract Act 1872. The Act says, "All agreements are contracts if they are made by the free consent of parties competent to contract, for a lawful consideration and with a lawful object, and are not hereby expressly declared to be void." It then lists minors as incompetent to contract, and says, "The agreement, if any party is minor, is void ab initio." However, Abraham points out that "It is not an offence to enter a void contract."

To weed out fake profiles and children's profiles, the PIL, filed by former RSS ideologue K N Govindacharya, argues that "obligation is cast upon Facebook and other social networking sites to verify the authenticity of each and every subscribers (sic) which is mandatory for Mobile companies in telecommunication sector.

Mumbai-based professor of law Saurav Datta feels this sort of authentication could have serious privacy implications. "There is no way they can verify users without impinging on their privacy. The goal of the PIL is wrong. We need to protect children, not keep people out," says Datta.

Abraham says that a possible way to deal with this can be on the lines of Canadian privacy law where a privacy commissioner can raise such concerns with the service provider directly.

For more details visit https://cis-india.org/news/the-times-of-india-aug-1-2013-kim-arora-facebook-limiting-access-to-social-media-can-restrict-freedom-of-speech

Token disclosures?

praskrishna — 2013-08-07T09:30:39Z

Snowden’s Xkeyscore expose makes a mockery of Twitter’s transparency revelations.

The article by Deepa Kurup was published in the Hindu on August 4, 2013. Sunil Abraham is quoted.

This week, roughly around the same time, two ‘revelations’ made headlines in the world of technology. The first, the U.S. National Security Agency’s top secret web surveillance programme, codenamed Xkeyscore, another expose from the house of Edward Snowden & Co.; and second, microblogging site Twitter’s third biannual Transparency Report for the first half of 2013.

The former exposed a global surveillance net, cast far and wide to freely (no formal authorisation required) access and mine emails, chats and browsing histories of millions. The content of the latter report not only pales in comparison but also raises fundamental questions on just how much goes on beyond the arguably modest claims made on Twitter’s transparency charts.

Documents published by The Guardian have the NSA claiming that the “widest-reaching” system mining intelligence from the web had, over a month in 2012, retrieved and stored no less than 41 billion records on its Xkeyscore servers. These mind-boggling numbers make a mockery of Twitter’s few hundred access request disclosures, advocates of online privacy and freedom point out. Then, it is hardly surprising that a large chunk of global requests came from the U.S. government: no less than 902 of the total 1,157 requests, accounting for 78 per cent. A far second is Japan at 8 per cent followed by the U.K.

India References

Interestingly, both Twitter’s report and the NSA’s Xkeyscore document have India references. While a map titled 'Where is Xkeyscore' in the training manual released showing India as one of 150 sites (hosting a total of 700 servers) indicates that India's very much on the global surveillance radar of the United States government; the fact that the India is a new entrant on Twitter's ‘Country Withheld Content Tool’ means that the government here is also making active interventions in microblogging content. This is very much in line with stances the Indian government has taken over the last year, swinging indecisively between asking internet firms to pre-screen content and asking service providers to take down what it finds offensive.

India, A Bit-Player

The Twitter report states that over the last six months it has seen an increase in the number of requests received (and eventual withholding of content) in five new countries: India, Brazil, Japan, Netherlands and Russia. In terms of numbers, India is still very much a bit player in the game given it falls under the ‘less than 10 category, a list where the number of requests for user information made by the government during this period is fewer than 10. It appears from the report that Twitter did not honour any of these requests, indicating that either the requests were too broad or failed to identify individual accounts.

In the same period, Twitter received two requests from India to remove content, one from the “government/law enforcement agency” and the other through a court order. In all, three tweets were removed by Twitter. No details on the nature of content removed were available.

Transparency Trends

A late entrant to transparency initiatives, Twitter's bi-annual reports have been applauded by privacy activists as an initiative that at least attempted to offer a glimpse into the otherwise opaque medium/industry. According to 'Who Has Your Back' an initiative by the Electronic Frontier Foundation, which tracks which corporate helps protect your data from the government, only a third of the 18 internet majors publish Transparency Reports – in fact, Facebook, WordPress and Tumblr all don't publish.

This article by Deepa Kurup was published in the Hindu on August 4, 2013. Sunil Abraham is quoted.

While it's definitely good that Twitter's providing data for India, post-Edward Snowden and his revealing PRISM leaks, netizens would question to what extent this data is representative of the magnitude or extent of user data tracking. Do governments like the U.S. need to approach Twitter (or other internet service providers) at all to access detailed user activity logs, content and metadata?

Secret Orders Excluded

Twitter makes it clear that its current report does not include "secret orders" or FISA disclosures. In another blog related to the Transparency Report, Jeremy Kessel, Manager, Legal Policy at Twitter Inc, writes that since 2012, Twitter's seen an uptick in requests to withhold content from two to seven countries. He writes that while Twitter wants to publish “numbers of national security requests – including FISA (Foreign Intelligence Surveillance Act) disclosures – separately from non-secret requests.” It claims it has “insisted” that the United States government allow for increased transparency into “secret orders”. “We believe it’s important to be able to publish numbers of national security requests – including FISA disclosures – separately from non-secret requests." Unfortunately, we are still not able to include such metrics, Twitter states.

'Not the Whole Truth'

In the absence of these metrics, Sunil Abraham, director of Centre for Internet and Society, feels transparency reports “may not tell us the whole truth”. The Xkeyscore revelations then may explain why the U.S. government has made only 902 information requests. “A rogramme like XKeyScore potentially allows them to capture the very same data without having to approach Twitter. This is the very same imperative behind the CMS project in India. Governments across the world want to automate private sector involvement in blanket surveillance measures so that it wont serve as a check on their unbridled appetite for data”

He warns that there's a likely “race to the bottom”, given that an unintended consequence of transparency may be that governments, rather than being shamed into respect for free speech and privacy, would be emboldened by the scale of surveillance and censorship in the so-called democracies such as the US and EU members that are on top of the global blanket surveillance game.

For more details visit https://cis-india.org/news/the-hindu-august-4-2013-deepa-kurup-token-disclosures

Ethical Issues in Open Data

kovey — 2013-08-07T09:19:54Z

On August 1, 2013, I took part in a web meeting, organized and hosted by Tim Davies of the World Wide Web foundation. The meeting, titled “Ethical issues in Open Data,” had an agenda focused around privacy considerations in the context of the open data movement.

The main panelists, Carly Nyst and Sam Smith from Privacy International, as well as Steve Song from the International Development Research Centre, were joined by roughly a dozen other privacy and development researchers from around the globe in the hour long session.

The primary issue of the meeting was the concern over modern capabilities of cross-analytics for de-anonymizing data sets and revealing personally identifiable information (PII) in open data. Open data can constitute publicly available information such as budgets, infrastructures, and population statistics, as long as the data meets the three open data characteristics: accessibility, machine readability, and availability for re-use. “Historically,” said Tim Davies, “public registers have been protected through obscurity.” However, both the capabilities of data analysts and the definition of personal data have continued to expand in recent years. This concern thus presents a conflict between researchers who advocate governments releasing open data reports, and researchers who emphasize privacy in the developing world.

Steve Song, advisor to IDRC Information & Networks program, spoke of the potential collateral damage that comes with publishing more and more types of information. Song addressed the imperative of the meeting in saying, “privacy needs to be a core part of open data conversation.” In his presentation, he gave a particularly interesting example of the tensions between public and private information implications. Following the infamous 2012 school shooting in Newtown, Connecticut, the information on Newtown’s gun permit owning citizens (made publicly available through America’s Freedom of Information Act) was aggregated into an interactive map which revealed the citizens’ addresses. This obviously became problematic for the Newtown community, as the map not only singled out homes which exercised their right to bear arms but also indirectly revealed which homes were without firearm protection and thereby more vulnerable to theft and crime. The Newtown example clearly demonstrates the relationship (and conflict) between open data and privacy; it resolves to the conflict between the right to information and the right to privacy.

An apparent issue surrounding open data is its perceived binary nature. Many advocates either view data as being open, or not; any intermediary boundaries are only forms of governments limiting data accessibility. Therefore, a point raised by meeting attendee Raed Sharif aptly presented an open data counter-argument. Sarif noted how, inversely, privacy conceptions may form a threat to open data. He mentioned how governments could take advantage of privacy arguments to justify their refusal to publish open reports.

However, Carly Nyst summarized the privacy concern and argument in her remarks near the end of the meeting. Namely, she reasoned that the open data mission is viable, if only limited to generic data, i.e., data about infrastructure, or other information that is in no way personal. Doing so will avoid obstructions of individual privacy. Until more advanced anonymization techniques can be achieved, which can overcome modern re-identification methods, publicly publishing PII may prove too risky. It was generally agreed upon during the meeting that open data is not inherently bad, and in fact its analysis and availability can be beneficial, but the threat of its misuse makes it dangerous. For the future of open data, researchers and advocates should perhaps consider more nuanced approaches to the concept in order to respect considerations for other ethical issues, such as privacy.

For more details visit https://cis-india.org/internet-governance/blog/ethical-issues-in-open-data

Crypto Night

praskrishna — 2013-08-06T06:04:05Z

Challenging government snooping at an all-night cryptography party.

This article by Rahul M was published in the Caravan on August 1, 2013. Pranesh Prakash and Bernadette Langle are quoted.

Satyakam Goswami sat in a conference hall in the Institute of Informatics & Communication in Delhi University's South Campus, furiously typing code into his laptop. He typed the string “/var/log/tor#”, into a Linux terminal, then turned to me and said, “I am one step away, man.” It was around midnight on a muggy July Saturday, and Goswami had been here for six hours. He resumed typing—and cursing under his breath in Telugu as he realised that the online instructions he was following weren’t helping.

Around him, the room bustled with the activity of around 25 other people, all participants at a Cryptoparty, a cryptography event at which programmers and non-programmers meet to share information and expertise on tools that can help thwart government spying.

Goswami was one of the organisers of the event, which was led by Bernadette Längle, a German ‘hacktivist’ who is a member of the Chaos Computer Club (CCC), Europe’s largest association of hackers. Längle was one of the organisers of the CCC’s Chaos Communication Congress in 2012, an international hackers’ meet held in Hamburg that year. While processing participant applications for the Congress, she came across a group that wanted to organise what they called a “Cryptoparty” at the meet. “I thought Cryptoparty would be a bunch of guys coming together, learning crypto and having a party,” she told me. Only at the event did she realise that Cryptoparties are rather more political affairs, at which participants experiment with ways of combating governmental intrusions into privacy and freedom.

After she graduated, Längle decided she wanted to travel. “I hadn’t been to America or Asia, and I don’t think I want to enter America,” she said. “I thought India might be a good point to start.” While she was exploring her options, she met Goswami online. “I first met Bernadette on an IRC channel, ‘hasgeek’, where she expressed her interest to come to India,” Goswami said. “I suggested that she write a proposal to CIS [the Centre for Internet and Society, in Bangalore].” Längle applied, and was accepted to work with the organisation for six months.

When Längle was teaching a one-week course on email cryptography at a CIS event, a participant suggested to her that she organise a Cryptoparty in the city. “I thought I was travelling anyway, and I can make a Cryptoparty everywhere I go,” Längle said. This led to the Bangalore Cryptoparty on 30 June, followed by the Delhi edition on 6 July. Längle then held a Cryptoparty in Dharamsala in the second week of July, and plans to hold another in Mumbai in October. At each of these, she gave tutorials on specific aspects of cryptography, such as the Pretty Good Privacy (PGP) encryption and decryption program, which Edward Snowden used to communicate with The Guardian’s Glenn Greenwald during their now-famous collaboration. Participants would then experiment with these tools, sending emails and messages to each other using secure channels. The Delhi edition, which saw around 70 participants, continued late into the night, with the last exhausted stragglers shutting off their gadgets and heading home at 4 am.

I met Längle again the day after the Delhi event; with her was Pranesh Prakash, policy director at CIS, who is a commentator on issues related to surveillance and privacy. Both agreed that the Indian government’s Central Monitoring System programme, as well as Edward Snowden’s recent leaks, had resulted in a greater interest in cryptography in the country in recent months. “Without the PRISM stuff, there wouldn’t have been so many people attending,” Längle said. “People are concerned about that.” Prakash believes that the NSA leaks have served as a loud wake-up call about a longstanding state of affairs. “It’s this I-told-you-so moment for lots of people right now,” he said. “This isn’t the first time there have been revelations about the NSA spying beyond their authority. These revelations have been happening at least since 2006.”

For more details visit https://cis-india.org/news/caravan-magazine-august-1-2013-rahul-m-crypto-night